Accepting request 644083 from mozilla:Factory

in preparation of Firefox 63

- update to NSS 3.39
  * required by Firefox 63.0
  Notable bug fixes
  * NSS responded to an SSLv2-compatible ClientHello with a
    ServerHello that had an all-zero random (CVE-2018-12384) (bmo#1483128)
  New functionality
  * The tstclnt and selfserv utilities added support for configuring
    the enabled TLS signature schemes using the -J parameter.
  * NSS will use RSA-PSS keys to authenticate in TLS. Support for
    these keys is disabled by default but can be enabled using
    SSL_SignatureSchemePrefSet().
  * certutil added the ability to delete an orphan private key from
    an NSS key database.
  * Added the nss-policy-check utility, which can be used to check
    an NSS policy configuration for problems.
  * A PKCS#11 URI can be used as an identifier for a PKCS#11 token.
  Notable changes
  * The TLS 1.3 implementation uses the final version number from
    RFC 8446.
  * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature
    where the DigestInfo structure was missing the NULL parameter.
    Starting with version 3.39, NSS requires the encoding to contain
    the NULL parameter.
  * The tstclnt and selfserv test utilities no longer accept the -z
    parameter, as support for TLS compression was removed in a
    previous NSS version.
  * The CA certificates list was updated to version 2.26.
  * The following CA certificates were Added:
    - OU = GlobalSign Root CA - R6
    - CN = OISTE WISeKey Global Root GC CA

OBS-URL: https://build.opensuse.org/request/show/644083
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=140

malloc.patch

@@ -1,19 +1,8 @@
-# HG changeset patch
-# Parent  032e1235ede0393863f4720ba6746baa24cb68e4
-Index: security/nss/tests/ssl/ssl.sh
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v
-retrieving revision 1.100
-
 diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
+index c1730d8..5eee525 100755
 --- a/tests/ssl/ssl.sh
 +++ b/tests/ssl/ssl.sh
-@@ -1354,12 +1354,13 @@ ssl_run_tests()
-             fi
-             ;;
-         esac
-     done
- }
+@@ -1449,6 +1449,7 @@ ssl_run_tests()
  
  ################################# main #################################
  
@@ -21,4 +10,3 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  ssl_init
  ssl_run_tests
  ssl_cleanup
- 

mozilla-nss.changes

@@ -1,3 +1,45 @@
+-------------------------------------------------------------------
+Sun Oct 21 07:39:58 UTC 2018 - wr@rosenauer.org
+
+- update to NSS 3.39
+  * required by Firefox 63.0
+  Notable bug fixes
+  * NSS responded to an SSLv2-compatible ClientHello with a
+    ServerHello that had an all-zero random (CVE-2018-12384) (bmo#1483128)
+  New functionality
+  * The tstclnt and selfserv utilities added support for configuring
+    the enabled TLS signature schemes using the -J parameter.
+  * NSS will use RSA-PSS keys to authenticate in TLS. Support for
+    these keys is disabled by default but can be enabled using
+    SSL_SignatureSchemePrefSet().
+  * certutil added the ability to delete an orphan private key from
+    an NSS key database.
+  * Added the nss-policy-check utility, which can be used to check
+    an NSS policy configuration for problems.
+  * A PKCS#11 URI can be used as an identifier for a PKCS#11 token.
+  Notable changes
+  * The TLS 1.3 implementation uses the final version number from
+    RFC 8446.
+  * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature
+    where the DigestInfo structure was missing the NULL parameter.
+    Starting with version 3.39, NSS requires the encoding to contain
+    the NULL parameter.
+  * The tstclnt and selfserv test utilities no longer accept the -z
+    parameter, as support for TLS compression was removed in a
+    previous NSS version.
+  * The CA certificates list was updated to version 2.26.
+  * The following CA certificates were Added:
+    - OU = GlobalSign Root CA - R6
+    - CN = OISTE WISeKey Global Root GC CA
+  * The following CA certificate was Removed:
+    - CN = ComSign
+  * The following CA certificates had the Websites trust bit disabled:
+    - CN = Certplus Root CA G1
+    - CN = Certplus Root CA G2
+    - CN = OpenTrust Root CA G1
+    - CN = OpenTrust Root CA G2
+    - CN = OpenTrust Root CA G3
+
 -------------------------------------------------------------------
 Sun Oct 14 08:10:08 UTC 2018 - meissner@suse.com
 

mozilla-nss.spec

@@ -13,7 +13,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -21,11 +21,11 @@
 
 Name:           mozilla-nss
 BuildRequires:  gcc-c++
-BuildRequires:  mozilla-nspr-devel >= 4.19
+BuildRequires:  mozilla-nspr-devel >= 4.20
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.38
+Version:        3.39
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_38_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.38/nss ; cd nss-3.38/nss ; hg up NSS_3_38_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_39_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.39/nss ; cd nss-3.39/nss ; hg up NSS_3_39_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -265,6 +265,7 @@ cp -L  lib/libcrmf.a \
 cp -L  bin/certutil \
        bin/cmsutil \
        bin/crlutil \
+       bin/nss-policy-check \
        bin/modutil \
        bin/pk12util \
        bin/signtool \

nss-3.38.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2c643d3c08d6935f4d325f40743719b6990aa25a79ec2f8f712c99d086672f62
-size 23023474

nss-3.39.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6be64dd76f212415cc8bc34343ac1e7389048db4db9a023a84873c411dc5864b
+size 23048561